Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LG-12871: Remove exceptions for client-side reCAPTCHA execute #10408

Merged
merged 1 commit into from
Apr 12, 2024
Merged

LG-12871: Remove exceptions for client-side reCAPTCHA execute #10408

merged 1 commit into from
Apr 12, 2024

Conversation

aduth
Copy link
Member

@aduth aduth commented Apr 11, 2024

馃帿 Ticket

LG-12871

馃洜 Summary of changes

Updates client-side reCAPTCHA behavior to always invoke during client-side form submission, regardless of whether the user is exempted from backend validation.

This is based on a recommendation to improve the quality of assessments by avoiding bias toward certain subsets of users.

馃摐 Testing Plan

Prerequisite: You'll need valid reCAPTCHA keys for at least the invisible check. In local development, you can use keys generated yourself with the free version of reCAPTCHA:

  1. Go to https://www.google.com/recaptcha/admin
  2. Create keys for local development as a "Score based (v3)" type
  3. Update configuration in config/application.yml, adding your v3 site and secret keys. v2 values need to be present, but they don't need to be valid keys. 
    recaptcha_site_key_v2: 'any-value-doesnt-matter'
recaptcha_site_key_v3: '[insert-v3-site-key]'
recaptcha_secret_key_v2: 'any-value-doesnt-matter'
recaptcha_secret_key_v3: '[insert-v3-secret-key]'

Validate that client-side reCAPTCHA runs for all numbers, but is only validated on the backend for international numbers:

  1. Go to http://localhost:3000
  2. Create an account
  3. Continue account creation until MFA selection screen
  4. Choose phone as MFA method and click "Continue"
  5. Add a breakpoint here in your browser devtools:

    identity-idp/app/javascript/packages/captcha-submit-button/captcha-submit-button-element.ts

    Line 51 in 29ba13f

    this.submit();
  6. Add a binding.pry breakpoint before this line:

    identity-idp/app/services/recaptcha_validator.rb

    Line 46 in 29ba13f

    return true if exempt?
  7. Enter a phone number
  8. Click "Submit"
  9. Observe that the breakpoint added in Step 5 is triggered, regardless of phone number
  10. Allow breakpoint to continue ("Resume script execution" in Chrome Devtools debugger)
  11. Observe in your terminal that that breakpoint added in Step 6 is triggered
  12. Enter exempt? in your terminal breakpoint
  13. Observe that the value is false if you submitted an international number, or true otherwise

@aduth
LG-12871: Remove exceptions for client-side reCAPTCHA execute
29ba13f 
changelog: Internal, Spam Mitigation, Remove exceptions for client-side reCAPTCHA execute
@aduth aduth requested a review from a team April 11, 2024 13:18
mdiarra3
mdiarra3 approved these changes Apr 11, 2024
View reviewed changes
Copy link
Member

@mdiarra3 mdiarra3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice looks good.

@aduth aduth merged commit 75c558f into main Apr 12, 2024
2 checks passed
@aduth aduth deleted the aduth-lg-12871-recaptcha-execute branch April 12, 2024 12:16
@mitchellhenke mitchellhenke mentioned this pull request Apr 16, 2024
Merged
@aduth aduth mentioned this pull request Apr 16, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mdiarra3 mdiarra3 mdiarra3 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@aduth @mdiarra3